A survey of nearly 5,000 executives from Europe, Asia, and North and South America found that over half are largely ineffective at stopping, finding, fixing, or limiting the impact of cyberattacks.
That cybercrime has risen considerably during the Covid pandemic is beyond doubt. But whereas such a surge should be met with increased investment and effort to secure digital systems and data, the 4th annual look into the state of cybersecurity by consulting firm Accenture found quite the opposite.
Indeed, despite the majority of respondents claiming that their organization had a well-developed cybersecurity strategy, an equal number also said that they didn't know how a cyberattack might impact their business, with a somewhat resigned air that it's a battle that they can't really win.
“A majority of respondents (81%) say that “staying ahead of attackers is a constant battle and the cost is unsustainable” compared with 69% in 2020," the authors write. "In fact, we found that respondents experienced a 32% increase over 2020 in the number of successful cyber attacks, while some attacks, such as ransomware, have seen a much higher increase.”
A rising storm
The report highlights that the organizations surveyed suffered from an average of 270 attacks per year during 2021, which is a growth rate of 31% compared to 2020. These attacks were dominated by indirect attacks, which represented 61% of all cyberattacks.
The report identified four levels of organization according to their level of cyber resilience that is spread across the cybersecurity resilience and business strategy alignment axes. For instance, cyber risk-takers are identified as having strong strategic alignment as they prioritize growth but play fast and loose with cybersecurity in their efforts to be as quick to market as possible.
At the opposite end of the spectrum are those organizations whose cybersecurity strategy is so robust that it's failing to support the strategic objectives of the business.
The worst performers are dubbed “the vulnerable,” as their cybersecurity operations are poor and not aligned with the strategy of the business.
This just leaves the “Cyber Champions,” who the authors argue have managed to strike the ideal balance between cyber resilience and the business objectives of the organization. These organizations are effective at stopping attacks, finding and fixing breaches quickly, and reducing the impact of any attacks.
The performance of organizations matters, as Accenture argues that those in the “vulnerable” category would reduce the cost of breaches by 71% if they were at the same level as the Cyber Champions, with the Risk Takers and Business Blockers seeing costs reduced by 65% and 48% respectively.
Learning from the best
Despite the varying levels of cybersecurity competency displayed across the respondents, spending on cybersecurity is up across the board, with IT security budgets up 5% on 2020 and representing 15% of total IT spend.
“This may be the COVID-19 change event—the massive and rapid shift in how they ran their businesses and increased security demands; we won’t know until next year if this kind of investment will continue but we do know that budgets are always under scrutiny,” the authors explain.
So what do Cyber Champions do to ensure a better return on this investment?
The authors argue that a crucial first step is to ensure that the CISO is not confined to their security-focused silo and ventures out to business-oriented teams to understand the key strategic risks and priorities for the business.
“We found that Cyber Champions set themselves apart in terms of their reporting structures,” they explain. “Around 70% of the group report to the CEO and Board and they demonstrate a far closer relationship with the CFO—reporting is 7X higher than the other groups.”
These relationships are then crucial to help ensure that cybersecurity is included at the very outset of those projects that sit at the heart of the organization's digital transformation. This sets the Champions apart from the laggards, for whom cybersecurity is too often seen as an afterthought or a reactive response to an actual attack.
Champions are also far more proactive than they are reactive. Accenture highlights that remediation can cost up to 30x as much as prevention, so ensuring that systems, processes, and data are as secure as possible is far more effective than fire fighting in response to each attack.
Doing this effectively requires that cybersecurity teams work closely with teams across the business as strategic partners to identify and then drive down risk. In the best businesses, this is given the strategic priority it deserves.
Looking into 2022
So what might 2022, and beyond, have in store for us? Given the last few years, the following are likely to be areas of continued interest for those in the industry.
Firstly, GDPR will light the way for invigorated privacy laws that are likely to provide large quantities of the global population with the protection of their personal information. As such, organizations will need to consider their privacy management systems, and how they can be automated to make the workflow manageable.
With remote work likely to be an enduring part of how we function, organizations are also likely to require a flexible security solution that will see a rise in both cloud-based technologies and mesh architecture to cover identities outside of traditional security boundaries.
As Accenture illustrates, there will also be a desire to consolidate the number of tools used to make managing cybersecurity that bit easier.
This will be driven in large part by the continued appreciation of the strategic importance cybersecurity has for the business outcomes of an organization. This will expand and we will see investors using cybersecurity as a metric they use when assessing potential opportunities. This will be overseen by a dedicated board presence for cybersecurity, with the most sophisticated firms having a cybersecurity committee that will ensure cybersecurity is top of mind in all strategic conversations.
Lastly, we will see the continued use of cyberattacks for geopolitical ends, with attacks increasingly able to threaten human lives. This will prompt nation-states to pass legislation in areas such as ransomware and possibly even greater regulation of cryptocurrency to try and limit the means of payment to cybercriminals.